kkennyb711 0 Posted October 1, 2012 Report Share Posted October 1, 2012 hi i scanned my computer with the old version of emisisoft anti-malware (updated to latest definitions) it came up that i had searchqu. i restarted the computer as instructed and did another scan just to make sure it had been removed.it had i checked on the top of IE9 right clicked and it was still there but not ticked. i did a search and found that it is bundled with ilivid which i uninstalled, i then uninstalled searchqu from programs and features-when i did this 2 things happened, zone alarm free stopped a connection to the internet saying that searchqu was trying to transmit a library somewhere on the net it tried to transmit about 3 times . the second thing was that avast free said that searchqu was trying to alter files within the OS-it stopped this. searchqu did unistall eventually (or appear to) i checked on the top of ie9 and right clicked and searchqu was still there but again with no tick-out of curiosity i ticked it and it said do you want to enable this add on and underneath it said searchqu toolbar (not available) i enabled it and again there was no tick next to searchqu, so i right clicked again and it said do you want to disable this toolbar and underneath it said searchqu toolbar (not available)on searchqu there was still there with no tick. what i want to know is if it has been removed by emisisoft anti-malware (because it says not available) or could it still be active? i ran a full scan with the latest version of emisisoft anti-malware (latest updates) and it detected no threats thanks for any help, regards, ken. Link to post Share on other sites
jeffce 1 Posted October 1, 2012 Report Share Posted October 1, 2012 Hi and welcome, More than likely there are still parts of it on your system that need to be removed. Please go here and attach the logs that are requested in the topic to your next reply. Link to post Share on other sites
kkennyb711 0 Posted October 2, 2012 Author Report Share Posted October 2, 2012 hi please find attached the 3 logs you requested re:searchqu many thanks for your time regards ken Link to post Share on other sites
jeffce 1 Posted October 2, 2012 Report Share Posted October 2, 2012 Hi, Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator. ---------- Run OTL.exe Copy/paste the following text written inside of the quote box into the Custom Scans/Fixes box located at the bottom of OTL :Services:OTLIE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-re...q={searchTerms}IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-re...q={searchTerms}IE - HKCU\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}IE - HKCU\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-re...q={searchTerms}IE - HKCU\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://uk.ask.com/we...il&geo=GB&ver=5O2:64bit: - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\Searchqu Toolbar\Datamngr\x64\BrowserConnection.dll (Bandoo Media, inc)O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll File not foundO2 - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~2\SEARCH~1\Datamngr\BROWSE~1.DLL File not foundO3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll File not foundO4 - HKLM..\Run: [DATAMNGR] C:\PROGRA~2\SEARCH~1\Datamngr\DATAMN~1.EXE File not foundO20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll) - File not foundO20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll) - File not foundO20 - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll) - File not foundO20 - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll) - File not foundO33 - MountPoints2\{7e4dfa5f-9f7f-11e1-bb56-00269ec3cf49}\Shell - "" = AutoRunO33 - MountPoints2\{7e4dfa5f-9f7f-11e1-bb56-00269ec3cf49}\Shell\AutoRun\command - "" = F:\setup.exeO33 - MountPoints2\{8cb0b07d-aa6d-11e1-8856-00269ec3cf49}\Shell - "" = AutoRunO33 - MountPoints2\{8cb0b07d-aa6d-11e1-8856-00269ec3cf49}\Shell\AutoRun\command - "" = F:\setup.exe:Filesipconfig /flushdns /c:Commands[emptytemp][resethosts][start explorer][Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done Then run a new scan and attach a new OTL log ( don't check the boxes beside LOP Check or Purity this time ) ---------- Link to post Share on other sites
kkennyb711 0 Posted October 2, 2012 Author Report Share Posted October 2, 2012 hi not sure if i did everything right- i ran OTL run fix with lop check and parity check both checked then restarted and did a new scan with lop check and parity check both unchecked. i only got 1 file, OTL which i have attached. the searchqu option on the selection at the top of the browser has vanished! thanks very much for your time, regards, ken. Link to post Share on other sites
jeffce 1 Posted October 3, 2012 Report Share Posted October 3, 2012 Hi, I see that your Java software is out of date. Please go to Start >> Control Panel >> Programs and Features >> uninstall all versions of Java. Now download and install the newest version from here >> http://java.com/en/download/index.jsp ------------- Clear Java Cache See this page for instructions on how to clear java's cache. Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded AppletsDownloaded ApplicationsOther Files[*]Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. [*]Click OK to leave the Java Control Panel. ---------- Malwarebytes I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply. ---------- ESET Online Scanner Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts. Turn off the real time scanner of any existing antivirus program while performing the online scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked. Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked. Click Scan Wait for the scan to finish When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..." Save that text file on your desktop. Attach the contents of that log as a reply to this topic. Close the ESET online scan, and let me know how things are now. ---------- Attach the logs made by Malwarebytes and ESET and let me know how your system is running. Link to post Share on other sites
kkennyb711 0 Posted October 4, 2012 Author Report Share Posted October 4, 2012 hello again! i have installed and run pctools yesterday please find attached its history log and the other 2 you requested. yontoo is listed on programs/features (installed 1/10/2012). i don't remember installing anything that this could have been bundled with! many thanks for the ongoing support, regards, ken Link to post Share on other sites
jeffce 1 Posted October 4, 2012 Report Share Posted October 4, 2012 Hi, Looks pretty good. How is your system running? Run OTL.exe Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL:Services :Files C:\ProgramData\Spybot - Search & Destroy\Recovery\YontooPagerage2.zip C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll :Commands [purity] [resethosts] [emptytemp] [clearallrestorepoints] [start explorer] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done Then run a new scan and attach a new OTL log ( don't check the boxes beside LOP Check or Purity this time ) Link to post Share on other sites
kkennyb711 0 Posted October 4, 2012 Author Report Share Posted October 4, 2012 hi my system is running fine thanks but i'm a bit worried by the threats in the history of pctools. i ran fix with OTL I checked lop check and purity but it got interupted by pctools because it detected that OTL was changing dll or something- i allowed it and ticked box so it would remember, it rebooted i checked the log (attached) and it has an error (maybe caused by the interuption?) should i do the whole thing again? regards, ken. Link to post Share on other sites
jeffce 1 Posted October 4, 2012 Report Share Posted October 4, 2012 Yes please run that again with the same set of instructions as before. Link to post Share on other sites
kkennyb711 0 Posted October 5, 2012 Author Report Share Posted October 5, 2012 hi an error was is in the first OTL log so i have attached it. on the second run, pctools interupted and reported that OTL was trying to connect to the internet- i allowed it. regards, ken Link to post Share on other sites
jeffce 1 Posted October 5, 2012 Report Share Posted October 5, 2012 How is your system running now? I didn't see anything in the PCTools log that was of particular concern. Link to post Share on other sites
kkennyb711 0 Posted October 5, 2012 Author Report Share Posted October 5, 2012 hi my compters running fine! its just a couple of entries in pctools history: Threat Name - Spyware.Known_Bad_Sites Details - Site Guard has blocked access to a bad website Risk Level - High Infection - ad.bnmla.com (67.217.168.212) Infection was detected on this computer Threat Name - Spyware.Known_Bad_Sites Type - Internet Temporary File Risk Level - High Infection - - http://ad.bnmla.com/...865&noe=1= 04/10/2012 18:06:28:341 also yontoo is still listed under programs/features should i just unistall it? thanks, regards, ken. Link to post Share on other sites
jeffce 1 Posted October 5, 2012 Report Share Posted October 5, 2012 its just a couple of entries in pctools historyThis is just what PCTools is blocking. It is not showing an active infection on your system but that the web site is possibly bad. Yes you can go ahead and uninstall Yontoo from Control Panel >> Programs and Features Other than that, I think that you should be good to go if there are no more problems. When you let me know we can clean up our tools. Link to post Share on other sites
kkennyb711 0 Posted October 5, 2012 Author Report Share Posted October 5, 2012 hi please forgive my ignorance but i did not try to connect to this bad website and was thinking that something inside my computer was trying to connect to it. do you think i will be safe to use my credit cards and online banking sites safely now on this machine? i am a bit paranoid because i have been the subject of credit card fraud in the past a couple of times even though i have only used them on safe sites! i think it is ok for you to clean up, thank you very much for your indepth assistance and i will definitely be recommending your product to my friends. regards, ken Link to post Share on other sites
kkennyb711 0 Posted October 5, 2012 Author Report Share Posted October 5, 2012 hi i can't uninstall yontoo zonealarms came up with endless repeated warnings that yontoo was dispalying suspicious behaviour-it never stopped until i cancelled the uninstall. firstly it said tam installer is trying to communicate with c:\windows\system32\taskhost.exe by opening its process, this went on and on listing different programs from my computer. please help. regards, ken Link to post Share on other sites
jeffce 1 Posted October 5, 2012 Report Share Posted October 5, 2012 Ok....let's get another look.... Please download DDS from either of these links LINK 1 LINK 2 and save it to your desktop. Disable any script blocking protection Right-click and Run as Administrator dds to run the tool. When done, two DDS.txt's will open. Save both reports to your desktop. --------------------------------------------------- Please attach the following in your next reply: DDS.txt Attach.txt ---------- Link to post Share on other sites
kkennyb711 0 Posted October 5, 2012 Author Report Share Posted October 5, 2012 hi more problems! while trying to download from link 1 zonealarm browser security reported "the files content layout and format resembles that of malicious software" i know you wouldn't try to send me any malware but just in case the link has been hijacked i want to check that its just because it probably contains virus defintions that ZA thinks is a threat. just to update you after trying to uninstall zondoo i tried to uninstall adobe reader (because i read that it can harbour malicious code) it wouldn't let me. is this suspect? it said "the windows installer service could not be accessed this can occur if the windows installer is not correctly installed" i needed to uninstall then reinstall emsisoft because when pctools did a scan avast quarantined files from emsisoft,that pctools was scanning at the time (which i couldn't restore from avasts quarantine) when i tried to reinstall emsisoft it wouldn't let me it said that emsisoft was still installed-as if the unistaller was had not worked properly.this is the first time i've had problems uninstalling programs. please advise, regards, ken Link to post Share on other sites
jeffce 1 Posted October 5, 2012 Report Share Posted October 5, 2012 Go ahead and continue with the download of DDS past the ZoneAlarm warnings. The link is fine. As for the rest we can come back to that... Link to post Share on other sites
kkennyb711 0 Posted October 6, 2012 Author Report Share Posted October 6, 2012 hi just to check- i have disabled anything to do with scripting on IE and firefox, after running DDS i have restet them. i could not find any script blocking stuff in any of my anti-malware software. please find attached the files you requested. thanks, regards, ken. Link to post Share on other sites
jeffce 1 Posted October 6, 2012 Report Share Posted October 6, 2012 Hi, I notice that you have both Avast and PCTools running at the same time. Having more than one antivirus program running at the same time can seriously degrade the performance of your system. Please uninstall either Avast or PCTools (which ever you prefer) using either the provided uninstall feature that is part of the antivirus program or through Add/Remove Programs (for Vista and Win 7 users to go to Programs and Features in the Control Panel). As a rule of thumb one should run one firewall, one antivirus program in memory, and one antispyware utility in memory. It's fine to have other security tools available on an as-needed or on-demand basis, but when multiple tools simultaneously perform the same function, you're asking for trouble. You also have two firewalls on your system being ran by PCTools and ZoneAlarm. With configuration I would actually recommend the following but you can decide what is best.... if it were my system I would run only Avast and use the Windows 7 firewall and remove the rest. Once you get that finished please run a new scan with DDS and attach the new log created. Link to post Share on other sites
kkennyb711 0 Posted October 6, 2012 Author Report Share Posted October 6, 2012 hi i do not want to remove pctools after your advice i want it to do request scans only, i have disabled everything else including its firewall. in the future i want to run emsisoft as my AV(scrapping avast) ZA and malwarebytes (paid for) using spybot and pctools to run extra scans (pctools on request not scheduled) do you think this is ok? or would you use AVG free instead of malware bytes?also pctools has host protection is this good or would i better using hostsman? thanks a lot regards, ken Link to post Share on other sites
jeffce 1 Posted October 6, 2012 Report Share Posted October 6, 2012 Hi, in the future i want to run emsisoft as my AV(scrapping avast) ZA and malwarebytes (paid for) using spybot and pctools to run extra scans (pctools on request not scheduled) do you think this is ok? or would you use AVG free instead of malware bytes?also pctools has host protection is this good or would i better using hostsman?I see that avast is still showing in your DDS log? Did you remove that after you ran DDS?I would not use AVG instead of Malwarebytes (or at all). AVG is an antivirus program and Malwarebytes is an antimalware program...they actually do different things. With PCTools having a hosts protection I would just stick with that (I don't use any at all). Truthfully I only run one antivirus (with firewall) and Malwarebytes. ---------- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the box below: ClearJavaCache::DDS::uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dllBHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dllTB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dllmRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"BHO-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dllBHO-X64: Ask Toolbar BHO - No FileTB-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dllFirefox::FF - ProfilePath - C:\Users\hp\AppData\Roaming\Mozilla\Firefox\Profiles\mo67fojz.default\FF - prefs.js: browser.search.selectedEngine - Ask.comFF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=&locale=&apn_uid=C6D93083-C04E-40C6-8F4C-9C9CE91D49EB&apn_ptnrs=&apn_sauid=6ABF12C8-DC75-467E-A9AD-5EEA26C25DD5&apn_dtid=OSJ000&&q=File::C:\Program Files (x86)\Ask.com\Updater\Updater.exeFolder::C:\Program Files (x86)\Ask.comC:\ProgramData\Ask Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix may request an update; please allow it. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Attach the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. ---------- Link to post Share on other sites
kkennyb711 0 Posted October 6, 2012 Author Report Share Posted October 6, 2012 hi should i disable zonealam it does not have anti virus but it seems to display anti virus characteristics? also in IE do i disable everything to do with scripting (this is what i have been doing ) or just javascript? thanks, regards, ken. Link to post Share on other sites
jeffce 1 Posted October 6, 2012 Report Share Posted October 6, 2012 Yes go ahead and disable ZoneAlarm for now but don't worry about anything in IE. Attach the ComboFix log when complete. Link to post Share on other sites
kkennyb711 0 Posted October 7, 2012 Author Report Share Posted October 7, 2012 hi, i followed you instructions precisely when i dropped the text file onto the cat all that happened was that the text file opened-nothing else,i waited for a couple of minutes and still nothing happened. i thought that maybe i was meant to download the application but when i clicked on it or rightclicked nothing happened. please advise, regards, ken Link to post Share on other sites
jeffce 1 Posted October 7, 2012 Report Share Posted October 7, 2012 Hi, Go ahead and boot to Safe Mode and then attempt the same instructions that I gave you earlier for ComboFix. Link to post Share on other sites
kkennyb711 0 Posted October 8, 2012 Author Report Share Posted October 8, 2012 hi my HD has crashed! it gave out screeching noises when i turned it on and the computer wouldn't start up at all. thanks for all the help and your time, a pity it was wasted! bye ken Link to post Share on other sites
jeffce 1 Posted October 8, 2012 Report Share Posted October 8, 2012 What do you mean your system has crashed? Will it not start in Safe Mode or at all? Let me know exactly what your system is doing. Link to post Share on other sites
jeffce 1 Posted October 10, 2012 Report Share Posted October 10, 2012 Are you still with me? Link to post Share on other sites
jeffce 1 Posted October 11, 2012 Report Share Posted October 11, 2012 Due to lack of feedback, this topic will now be closed. If you are the original poster and you still require help, please start a new thread. ------------------- Link to post Share on other sites
Recommended Posts